IPv6-Ready DNS/DNSSSEC InfrastructureT-Mobile USABellevueWAUnited States of AmericaCameron.Byrne@T-Mobile.comThe IPv6 CompanyMolino de la Navata, 75La Navata - GalapagarMadrid28420Spainjordi.palet@theipv6company.comhttp://www.theipv6company.com/v6ops
IPv6, DNSSEC, NAT64, DNS64, 464XLAT
This document defines the timing for implementing a worldwide
IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate
the global IPv6-only deployment.A key issue for this, is the need for a global support of DNSSEC
and DNS64, which in some scenarios do not work well together. This
document states that any DNSSEC signed resources records should
include a native IPv6 resource record as the most complete and
expedient path to solve any deployment conflict with DNS64 and DNSSECOne of the main issues to ensure the best path for the IPv4 to IPv6
transition and the support of an IPv6-only Internet, is to ensure that
all the services remain accessible by means of DNS.One of the alternatives is the use of NAT64 ()
and DNS64 (), sometimes by means 464XLAT (),
which will help to ensure that, when a network or part of it, becomes IPv6-only,
still can have access to IPv4-only resources.DNS64 () is a widely deployed technology allowing
hundreds of millions of IPv6-only hosts/networks to reach IPv4-only resources.
DNSSEC is a technology used to validate the authenticity of information in the
DNS, however, as DNS64 () modifies DNS answers and DNSSEC is designed
to detect such modifications, DNS64 () can break DNSSEC in some circumstances.Furthermore, the deployment of those transition mechanisms means
that the cost of the transition is on the back of the service
provider, because the investment required in the devices that take
care of that transition services and the support of the helpdesks
to resolve issues. So in the end, all that cost is indirectly
charged to the end-user, which is unfair.It seems obvious that should not be that way, and the end-goal is
a situation where we get rid-off IPv4-only services, and meanwhile,
the cost borne by the IPv4 laggards operating those services.This document provides the steps to be able to tackle that
situation and advance with the global IPv6 deployment in a fair way.The document also states that the most complete and expedient path to avoid
any negative interactions is, for the DNSSEC signed resources, to always
include IPv6 AAAA resources records. As stated in ,
IPv6 is not optional and failing to support IPv6
may result in failure to communicate on the Internet, especially when DNSSEC
signed IPv4-only resources are present.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14
when, and only when, they appear in all capitals, as shown here.DNS64 () is a key part of widely deployed IPv6-only
transition mechanism such as 464XLAT () and Happy
Eyeballs version 2 (). Currently, hundreds of millions
of hosts rely on DNS64 () for access to the Internet.
A core function of DNS64 () is generating an inauthentic
AAAA DNS record when an authentic AAAA DNS record for a host is not available
from the authoritative nameserver. DNSSEC's fundamental feature is detecting
and denying inauthentic DNS resource records. While DNS64 ()
outlines may work in harmony with DNSSEC, the preconditions may not always
exist for harmony to be achieved.DNS64 () and DNSSEC are both important components
of the current and future Internet. The limitation for how these protocols
interact is unlikely to changes. Deploying DNSSEC and IPv6 are both commonly
achievable for a typical Internet system operator using their own
systems or using a third-party service. The resolution to the DNS64
() and DNSSEC conflict is to simply deploy both,
IPv6 and DNSSEC in tandem.Deploying DNSSEC signed IPv4 resources records without matching IPv6 records
is a risk and not recommend.Ultimately, this guidance is simply restating ,
that IPv6 is mandatory for all Internet systems.Similarly, to what is stated in the precedent section for DNS64
() and DNSSEC, a smoother and less painful transition
from IPv4 to IPv6, and the succesful deployment of an IPv6-only Internet,
can be facilitated by requiring AAAA resource records at every DNS instance.In the context of this document, and others that may be generated
as a consequence of it, "IPv6-Ready DNS/DNSSEC Infrastructure" means
that a DNS/DNSSEC server (root, TLD, authoritative NS, others) is
fully accessible and operational if queried either from a remote dual-stack
network or an IPv6-only network.In general, that means having AAAA RRs in addition to A RRs,
ensuring that PMTUD works correctly and fragmentation is correctly handled.In case DNSSEC is implemented with IPv4, it MUST support also IPv6-only
operation according the above considerations.Towards the implementation of the worldwide IPv6-Ready DNS/DNSSEC
infrastructure, considering that there are no excuses for a DNS operator to
support IPv6, the following deadlines are defined counting since
the date this document becomes an RFC:All the root and TLDs MUST be IPv6-Ready in 6 months.All the DNSSEC signed zones MUST be IPv6-Ready in 6 months.All the authoritative NS MUST be IPv6-Ready in 12 months.The remaining RRs in other DNS servers, MUST be IPv6-Ready in 18 months.Probing mechanisms to verify that the relevant AAAA are fully operational
MUST be setup by IANA. If there is a failure at the deadline in complying with
those requirements, the relevant NS, MUST be temporarily suspended
until there is a subsequent successful verification.DNSSEC is a good security practice. Providing AAAA DNSSEC signed
records wherever a DNSSEC signed A record is used ensures the most
effective use of DNSSEC.IANA and ICANN are instructed by means of this document, to take the relevant
measures for ensuring the steps towards the above indicated implementation
timing.It is suggested that frequent warnings are provided to the relevant
stakeholders, in advance to each of the deadlines.The author would like to acknowledge the inputs of ... TBD.